formbook | ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8

General

Target

20210113432.exe
Size

1.0MB
MD5

13dbc9c1c5a2811ecbee5f420c9c75b6
SHA1

6b01e540d3757944b61baa187159a908e170d5ae
SHA256

ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
SHA512

ae1414b91ba91a29575901ac0daf55aa937454b1afcd53d7d0c9461ca2b48d65bb1f3213ad23853987a40381a2f57be359fdbf7848ff57432b5e95ffd4cbcea1

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.southsideflooringcreations.com/dkk/

Decoy

goldenfarmm.com

miproper.com

theutahan.com

efeteenerji.com

wellfarehealth.com

setricoo.com

enjoyablephotobooths.com

semaindustrial.com

jennywet.com

jackhughesart.com

cantgetryte.com

searko.com

zxrxhuny.icu

exoticorganicwine.com

fordexplorerproblems.com

locationwebtv.net

elinvoimainenperhe.com

mundoclik.com

nouvellenormale.com

talasnakliyat.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/940-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/940-13-0x000000000041EC00-mapping.dmp	formbook
behavioral2/memory/2984-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

20210113432.exe20210113432.exemsiexec.exe

description	pid	process	target process
PID 3888 set thread context of 940	3888	20210113432.exe	20210113432.exe
PID 940 set thread context of 2092	940	20210113432.exe	Explorer.EXE
PID 2984 set thread context of 2092	2984	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

20210113432.exemsiexec.exe

pid	process
940	20210113432.exe
940	20210113432.exe
940	20210113432.exe
940	20210113432.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe
2984	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

20210113432.exemsiexec.exe

pid process

940 20210113432.exe
940 20210113432.exe
940 20210113432.exe
2984 msiexec.exe
2984 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20210113432.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 940 20210113432.exe
Token: SeDebugPrivilege 2984 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2092 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	940	20210113432.exe
Token: SeDebugPrivilege	2984	msiexec.exe

pid	process
2092	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

20210113432.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 3888 wrote to memory of 940	3888	20210113432.exe	20210113432.exe
PID 3888 wrote to memory of 940	3888	20210113432.exe	20210113432.exe
PID 3888 wrote to memory of 940	3888	20210113432.exe	20210113432.exe
PID 3888 wrote to memory of 940	3888	20210113432.exe	20210113432.exe
PID 3888 wrote to memory of 940	3888	20210113432.exe	20210113432.exe
PID 3888 wrote to memory of 940	3888	20210113432.exe	20210113432.exe
PID 2092 wrote to memory of 2984	2092	Explorer.EXE	msiexec.exe
PID 2092 wrote to memory of 2984	2092	Explorer.EXE	msiexec.exe
PID 2092 wrote to memory of 2984	2092	Explorer.EXE	msiexec.exe
PID 2984 wrote to memory of 2428	2984	msiexec.exe	cmd.exe
PID 2984 wrote to memory of 2428	2984	msiexec.exe	cmd.exe
PID 2984 wrote to memory of 2428	2984	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\20210113432.exe
"C:\Users\Admin\AppData\Local\Temp\20210113432.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\20210113432.exe
"C:\Users\Admin\AppData\Local\Temp\20210113432.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\20210113432.exe"
3⤵
PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/940-13-0x000000000041EC00-mapping.dmp

Download
memory/2428-17-0x0000000000000000-mapping.dmp

Download
memory/2984-18-0x00000000058F0000-0x0000000005A3E000-memory.dmp

Filesize
1.3MB

Download
memory/2984-16-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/2984-15-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/2984-14-0x0000000000000000-mapping.dmp

Download
memory/3888-7-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/3888-11-0x00000000063B0000-0x000000000641A000-memory.dmp

Filesize
424KB

Download
memory/3888-10-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/3888-9-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3888-8-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3888-6-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads